CVE-2021-21677 – io.jenkins.plugins:code-coverage-api

Package

Manager: maven
Name: io.jenkins.plugins:code-coverage-api
Vulnerable Version: >=0 <1.4.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02576 pctl0.85003

Details

RCE vulnerability in Jenkins Code Coverage API Plugin Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply [JEP-200 deserialization protection](https://github.com/jenkinsci/jep/tree/master/jep/200) to Java objects it deserializes from disk. This results in a remote code execution (RCE) vulnerability exploitable by attackers able to control agent processes. Jenkins Code Coverage API Plugin 1.4.1 configures its Java object deserialization to only deserialize safe types.

Metadata

Created: 2022-05-24T19:12:36Z
Modified: 2023-10-27T16:01:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-58pr-hprx-7hg6/GHSA-58pr-hprx-7hg6.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-58pr-hprx-7hg6
Finding: F096
Auto approve: 1